CMS Imaging's Response to COVID-19
RSS Feed


Amazon, HIPAA, and Privacy

Amazon, HIPAA and Privacy

Earlier this year, I wrote about Amazon stepping into the healthcare industry. As of this week, Amazon has officially taken the next step into the healthcare industry, creating Amazon Care for their Seattle based employees.

This new healthcare plan will offer Amazon employees four unique benefits.

  • Video Care is a visit to a third-party physician from Oasis Medical through the use of the Amazon Care app.
  • Mobile Care, an in-person visit from a nurse who can conduct any physical testing you may need.
  • Care Chat is an in-app chat session with a nurse.
  • Care Couriers, who will deliver prescribed medications to your home or office.
While this may seem similar to the virtual physician programs many insurance companies now offer to their customers, (Amazon is not the only tech giant to launch its own healthcare programs for its employees - Apple owns AC Wellness; it is the only one that owns the servers), there is one startling difference, privacy. This unique healthcare system is owned and operated by the employer. Therefore the employees' healthcare records are stored in servers owned by the employer.

While Amazon has contracted Oasis Medical as it's provider, Oasis remains a legal subsidiary from Amazon. Though there is no mention of where the employee health records will be stored, an obvious guess would be Amazon Web Services (AWS). For those unfamiliar with AWS, it is an on-demand cloud computing platform with revenues of $25.6B in 2018. In simple terms, AWS is the largest and most dominant cloud storage company in the world.

In November of 2018, Amazon suffered a major data breach affecting its online retail customers. Customers names and email addresses were disclosed on its website as a result of this issue. Amazon's response to the public was, "We have fixed the issue and informed customers who may have been impacted."* Though quickly fixed, the breach did expose a flaw in Amazon's cybersecurity.

Then in June of 2019, Capital One suffered a significant data breach of their AWS database. This breach impacted about 100 million individuals in the US and approximately six million in Canada. According to Capital One, the breach happened because of a misconfigured firewall that allowed the hacker access to Capital One's database. In the aftermath of the incident, Amazon quickly refused any blame for the intrusion.

"As a customer, you maintain full control of your content and responsibility for configuring access to AWS services and resources," Amazon says on its website about the cloud service, adding a crucial statement that absolves it of leak-blame: "You choose how your content is secured." *

Storing any medical records on a system that absolves itself of blame is risky. The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) establish essential protections for individually identifiable health information (PHI). Under the HIPAA Rules, Oasis Medical would be considered the covered entity** and AWS the business associate**, but where would Amazon fit? As the parent company of AWS, would they be considered a business associate and thereby be obligated to follow HIPAA? Or would they be exempt from HIPAA rules because they are the employer and AWS is a legal subsidiary?

As Amazon continues to take bold strides forward into the healthcare marketplace, the issue of privacy needs to be addressed. While the Department of Health and Human Services (HHS) has recently issued guidance on HIPAA and Cloud Computing, it stops short of creating a new covered classification that would cover an employer who was also, through a subsidiary, a business associate.

Or further, down the line, when Amazon reviews their healthcare costs, will they begin to look at employees Whole Food purchases to determine if they are living a healthy lifestyle? Or will they utilize the audio from an employee's Alexa devices to investigate questionable healthcare claims?

I genuinely hope Amazon Care stays secure and cares for it's patient's well being, but should there be a leak, will the Jeff Bezos powered internet giant say, "You choose how your content is secured."